Intelligent security components pave the second wave of convergence

The use of Internet Protocol (IP), or networking, is commonly associated with convergence. In this article, Markus Lahtinen of Lund University's LUSAX project, contends that the shift to network-enabled "intelligent" security components which increasingly have better computational and memory capacity has a significant impact on the present and future dynamics of the security industry, whether it be in the realms of digital video surveillance or electronic access control.

The aforementioned shift is clearly visible when we compare a digital network camera with an analogue surveillance camera. Apart from the fact that a digital network camera may be connected to existing Internet cabling for transmission and power supply, the network camera in itself is also a computer with a central processing unit, functioning as an IP-addressable web server. The typical analogue setup was to allow for computational processing at the recording unit, meaning the Digital Video Recorder (DVR). However, the computational capacity has spread to the camera-unit with digital network cameras enabling real-time processing of image (video) data. As a result of this shift, end users clearly benefit with significantly better image quality provided by the digital network cameras.

From a security end-user's point of view, the change is often behind the curtain, as there is little in terms of increased overall security effectiveness. Yet, the impact of the shift is significant from an industry perspective.

Not only are security cameras becoming computerised, but computerisation is also taking place in the electronic access control market

First and foremost, the change of cabling for transmission between the security camera and the recording unit has generated a fierce and lengthy industry debate under what conditions the cost of the digital setup outperforms the typical analogue setup. It is also clear that this debate has been further bolstered by the intrinsic nature of what is security effectiveness, spurring an even more intense cost-comparison debate.

Secondly, firms previously offering internet network services have potentially been able to leverage their network skills by entering into the market space of offering surveillance systems. From the research my colleagues and I have made within the framework of the LUSAX project, it is clear that there are instances where pure-play network companies have been bidding for the same contracts as the firms offering traditional analogue surveillance systems. We have no clear evidence as to the size and scope of this competition.

However, it cannot be ruled out that the increased competition and the fierce debate on analogue versus digital cameras have positively spilled over to the end user-side of the market, enabling for a mutually beneficial expansion of the video surveillance market. This could be referred to as the "first wave" of convergence, mainly characterised by a change towards the Internet as transmission medium for security applications.

Computerisation of security products on the rise

By virtue of the decentralisation process, the computational capacity spreads to the camera-unit

Understanding that computational and memory capacity lie at the heart of the matter, it is clear that the technological change is only in its infancy. Not only are security cameras becoming computerised, but computerisation is also taking place in the electronic access control market. A few examples that are commercially available within the door entry market include self-diagnosing door entry systems where products can enable efficient expansion of legacy access control systems based on wireless networking technology and keys having built-in memory units in the plastic enclosure.

Harnessing the power of computational and memory capacity

To summarise, the "second wave" of convergence is the key success recipe for the security business of the future. This entails creating end user value by harnessing, coordinating, and building entry-barriers around the computational and memory capacity located in network-enabled security.

In case you missed it

There is a new event on the calendar for the security industry in 2019: The Security Event 2019, 9-11 April, at NEC, Birmingham. For additional details and a preview of the new trade show and conference, we spoke with Tristan Norman, Founding Partner and Event Director, The Security Event.
Q: It seems recently that some trade shows have been on the decline in terms of exhibit size and attendance. Why does the physical security industry need another trade show?
Norman: I think there are numerous factors that play into the decline of trade shows in general and not something that is limited to the security industry. Those events that are suffering are no longer serving their target market or have failed to adapt to the changes in the industry they serve. However, what we are seeing now is the rise of focused, more “evolved” trade events which fulfil a gap in the industry event calendar and provide something new and fresh to a disillusioned audience.
Q: What will be unique about The Security Event, and what role will it serve in bringing together buyers and sellers in the market? Where (geographically) will attendees come from? What we are seeing is a rise of trade events which provide something fresh to a disillusioned audience
Norman: The driving ethos behind The Security Event is that we are “designed by the industry, for the industry.” We were able to start with a blank canvas and take onboard all the feedback from stakeholders throughout the security buying chain and create an event that is sustainable and fit for purpose. We see the role of the event as a very important one – to truly reconnect the currently fragmented UK commercial security industry, back at the NEC in Birmingham.
We had originally anticipated that this would be an almost-exclusively UK event in year one. However, we have seen significant interest from potential visitors from across the wider EMEA region who are keen to do business in the UK. We formed a strategic alliance with Security Essen to help facilitate and strengthen our reach in these regions through additional marketing and PR activities. Consequently, early registrations indicate that it will be approximately an 80% UK and 20% international split.
Q: What conference programming is being planned to augment the trade show event?
Norman: Content will be delivered across three focused theatres, serving the needs of our audience throughout the buying chain. Emphasis will be placed on the latest technology innovations impacting the industry, practical advice on the most pressing issues facing security technicians, and important industry updates and insights.
All sessions are focused on delivering tangible benefits to ensure professionals are equipped to stay relevant and to grow their business and we’re excited to be working with key industry bodies, innovators and experts to deliver the programme. We look forward to announcing those in coming weeks.
Exhibitors want to re-engage with the thousands of industry colleagues who no longer attend other events on offer
Q: Comparisons to IFSEC are inevitable. How will The Security Event be different than the IFSEC Security and Fire shows? What are the advantages of locating at Birmingham NEC?
Norman: Both The Security Event and The Fire Safety Event, based at the NEC are completely different to any other trade show in the UK. We pride ourselves in creating a business platform that puts the exhibitors’ needs first, by limiting the size of stands and total number of exhibitors as well as creating a comprehensive CPD accredited educational programme for the visitors.
Q: Which big industry players are supporting the launch of The Security Event, and what feedback are you hearing in terms of why they signed up at the show's inception? If a global manufacturer has a footprint in both the US and Europe, any tradeshow will be managed locally
Norman: Our founding partners are Assa Abloy, Avigilon, Anixter, Comelit, Dahua, Honeywell, TDSi, Texecom, Tyco and Videcon. The full list of exhibitors and supporting partners can be found on our website.
The reasons why they have signed up are very simple. They all see the exact same gap in the industry event landscape as we do. We believe there is a need for a 3-day channel focused commercial security exhibition based at The NEC in Birmingham. Our exhibitors want to re-engage with the thousands of industry colleagues who no longer attend the other events on offer.
Q: Your 2019 show will be the same week as ISC West in Las Vegas. Do you think the competitive calendar will be a factor?
Norman: In terms of our both our audience and our exhibiting base there is very little overlap with ISC West. Generally, if a global manufacturer has a footprint in both the US and Europe, any tradeshow will be managed locally so we haven’t observed any issues so far.
We do acknowledge that having two shows at the same time globally isn’t ideal and we have moved our dates in 2020 to the 28-30 April to mitigate this going forward.
The Security Event 2020 will not clash with Las Vegas' ISC West 2020 as it will in 2019, says Norman
Q: How will you measure success in the first year of the show? What measurements (show size, number of attendees, exhibitor feedback, etc.) will constitute a "successful" first year for the show?Security Event will continue to evolve year after year, but will intent to stay true to the event's original concept
Norman: Great question – the most important barometer of success for me and the team next April is the general industry reaction, after all, this show was created for them. Furthermore, it is vital to us that our exhibitors feel they have achieved their objectives for the show, whether it be quality, quantity of leads or raising awareness of a new product launch. We’ll also be keen to understand how satisfied visitors are with the event, including their views of the content, access to new products/services, effectiveness of the out of hours networking, etc.
We are anticipating 6,000 visitors over the 3 days and I believe if we achieve this goal, we will have a strong rebooking on site, laying a great foundation for our 2020 event.
Q: How would you expect/hope the show would continue to evolve in coming years?
Norman: I hope over the next few years The Security Event cements itself as the industry’s favourite trade show and that exhibitors and visitors alike look forward to every year for both the business opportunities at the event and the networking outside of it. The Security Event will continue to evolve year after year, but I am determined that we stay true to our original concept and the principles on which the show was founded. After all, it is this formula that has proved to be so popular to date.

In the wake of 9/11, the Federal Government’s secure-the-fort, big idea was to create an identity credential for all federal employees and contractors. Homeland Security Presidential Directive (HSPD)-12 set it all in motion. Today, we know the smartcard-based credential that arose from HSPD-12 as the Personal Identity Verification (PIV) card.
The PIV card is meant to give employees/contractors physical access to federal facilities and logical access to federal information systems. While using a PIV card for logical access has been largely successful and compliant with HSPD-12, implementing PIV-based, physical access control systems (PACS) has been much more difficult to conquer. As a result, HSPD-12 compliance for PACS has largely eluded the Federal Government. The noncompliance reasons are many, but there is now hope for fully achieving HSPD-12’s mandates.
Interoperability with any agency’s PIV
Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planetAll Executive Branch employees and long-term contractors, including the entire Department of Defense, have been issued PIV cards. This has been true since 2013. Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planet.
It seems so simple, where employees/contractors previously used their proximity card to open a federal facility door or go through a turnstile, they should now be able to use their PIV card. However, HSPD-12 took the PIV requirement one step further – compliant PACS must be interoperable with any agency’s PIV. This introduced an entire magnitude of additional complexity.
A compliant, interoperable, PIV-based PACS should work like this: an authorised employee (or contractor) presents a PIV card (contact or contactless) to a card reader to enter whichever federal agency building they have reason to be. Over the last 14 years, in all but a very few cases, the lack of PACS’ HSPD-12 compliance has prevented this from happening.
Secure credential policy
Today, less than 1% of the Federal Government’s PACS are HSPD-12-compliant. At most federal facilities, especially those outside the National Capitol Region, a noncompliant PACS works like this: an authorised employee (or contractor) presents a proximity (‘prox’) badge to a proximity card reader to enter his or her agency’s facility. At the fraction of federal facilities with upgraded PACS that work with PIV cards, virtually all such PACS fail to properly use a minimum number of PIV security features before granting access – let alone interoperate with a PIV card from any other agency.
Active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 complianceNew federal initiatives frequently suffer from having no policy to enforce their roll-out. That isn’t the case with PACS compliance. Policies have been in place for so long that newer policies like Office of Management and Budget (OMB) M-11-11 (February 3, 2011) remind everyone what the policies said in 2004 and 2006. This year, OMB publicised its proposed OMB M-18-XX (Draft), which will replace M-11-11. OMB M-18-XX’s (Draft) main PACS thrust is, once again, to ensure that everyone understands what the Federal Government’s secure credential policy is. It hasn’t changed since 2004.
It would be tempting to say that PACS technology isn’t mature, but that isn’t the case. In 2013, the Federal Government revamped the PACS portion of the FIPS 201 Evaluation Program and, since that time, all PACS on the General Services Administration’s (GSA) Approved Products List are 100% compliant and interoperable. Yet, on any given day, active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 compliance.
The usual suspects, policy and technology, are not the culprits for this epic delay.
An authorised employee presents a PIV card to a card reader to enter whichever federal agency building they have reason to be
Difficulties in adopting HPSP-12 compliance for PACS
Standards – The Federal Government’s approach to standards is to avoid a great deal of specificity. It’s an unspoken tenet that federal standards must be flexible, promote innovation and avoid disadvantaging any participating market segment. The opposite is true if your goal is interoperability: nearly every detail must be specified. Consider the standards-based success story of chip-based credit cards. When was the last time you used a credit card and it didn’t work? Interoperability failures are nearly unheard of. If you look at the hundreds of volumes of technical specifications that cover minute aspects of every component in credit cards and payment terminals, you quickly realise why it works so well. Nothing is left to chance, nothing is a variable, and there is no optionality.
The Good News: Work to increase viability through deep scrutiny has progressed in recent years. The GSA APL PACS Testing Lab, set up in 2013, annually tests credentials from all PIV issuers against all GSA-approved PACS. This testing has significantly reduced interoperability failures at federal facilities.
Collaboration – In the past, physical access practitioners from federal agencies rarely collaborated, unlike their logical access counterparts. This is also true for PACS procurement decision-makers across agencies and facilities.
The Good News: In 2018, an agency trend has emerged where finally physical access, physical security and IT practitioners have begun sitting down to discuss their shared responsibilities. We have already begun to see coordinated budget requests between IT and Security with enterprise architectures positioning PACS as an enterprise service on the network.
Scale – The Federal Government owns so many buildings that they can’t be counted. Google doesn’t know how many there are and neither does any one government official.
Variability – A significant percentage of facilities have unique aspects making a one-size-fits-all approach infeasible.
The Good News: Mature consulting services can now help agencies marry federal requirements with their unique environments to develop robust PACS enterprise architectures. As we see this occurring more and more frequently, a repeatable, achievable, systems-based upgrade of all PACS may be on the horizon.
The GSA APL PACS Testing Lab annually tests credentials from all PIV issuers against all GSA-approved PACS
Provenance – In many cases, different groups own different parts of a single facility, not all of whom might be subject to, or wish to interoperate with, a high-assurance compliant PACS. For example, GSA manages facilities for Legislative and Judicial tenants who aren’t subject to HSPD-12. Policy dictates that GSA manage the PACS for the front doors of these facilities should be HSPD-12-compliant, despite the fact that these tenants likely don’t have credentials that work with this technology. Sure, these tenants could commercially obtain a PIV-I credential, but almost none have.
Economics – It’s difficult for agencies to create their annual security budget requests when HPSD-12 PACS upgrades are in scope, because so many unknowns exist at each facility. To assess the cost, the time to complete, and the facility’s existing equipment inventory, it would be logical for an agency to hire a contractor with PACS expertise to perform a site assessment. Having to do capital planning for an assessment phase in advance of making the annual budget request for the PACS upgrade creates a never-ending cycle of delay. Especially at agencies with multi-year capital planning requirements. Many agencies, trying to avoid this delay cycle, have fallen prey to doing site assessments themselves. This results in their integrators doing their walk-throughs after the contract is awarded. This is the leading cause of PACS upgrade cost overruns.
Dependence on the agency’s IT department – Historically, PACS have been deployed on dedicated networks and are rarely ever connected to the enterprise, let alone the Internet. High-assurance PACS that validate credentials from other agencies must now communicate with many different systems on an enterprise network and over the Internet – so much so that the Federal Government reclassified PACS as IT systems.
The Good News: With collaboration increasing between Physical Security Officers (PSOs) and Chief Information Officer (CIOs), we expect this to improve in due course.
Resistance to change – This is a classic human factors challenge, and it’s a big one. PSOs have spent decades achieving their positions. PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted. When the value proposition is clear, change is adopted more readily. But security value isn’t easily measured or observed. It is often said that the best performance review for a PSO is to note that nothing happened. And when something does happen, it is necessarily kept quiet so the risk can be remediated without calling attention to the vulnerability in the interim. To date, the value proposition of moving to PIV-based PACS has been entirely based on policy (without corresponding funding in most cases) and through the shock value of white hat hackers, showing how easily most proximity badges can be cloned. This is not the stuff of change agents.
PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted
Are these challenges a unique situation?
No, these PACS challenges are not unique. Cybersecurity initially faced many of the same challenges that federal PACS face today. By 2000, the Federal Government recognised its urgent need to improve cybersecurity practices across its computing infrastructure and issued many policies that required agencies to improve. Improvement was sparse and inconsistent. GSA Schedules were set up to help agencies buy approved products and services to assist them, but this too produced lacklustre results.
The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned a system
Congress enacted the Federal Information Security Management Act of 2002 (FISMA) (now amended by the Federal Information Security Modernization Action of 2014). FISMA mandates an Authority To Operate (ATO) accreditation process for all information systems. The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned (vs. purchased) a system.
FISMA and ATO accreditation has been highly successful when implementing new systems. These cybersecurity requirements are the closest thing that the Federal Government has to the ‘PIV Police’ today. However, the PIV requirements in FISMA and ATOs currently apply to only logical access for information systems.
The proposed OMB M-18-XX (Draft) mentions that a FISMA PACS overlay to NIST SP 800-53 is forthcoming. The intent of the PACS overlay is to use the army of ATO accrediting officials in the Federal Government and enable them to assess implemented PACS as fit for purpose. This is the first time an enforcement approach has been brought forward that could reasonably succeed.
How long for HSPD-12 compliance?
We know that it won’t take another 14 years to achieve HSPD-12 compliance. Pockets of compliance are popping up. Compliant procurements do exist, and the state of PACS across the Federal Government is better in 2018 than in any previous year. Progress to date has been at a constant rate. The question is: what would take for progress to occur at an exponential rate instead? A major attack or compromise involving PACS would certainly hasten upgrades, but let’s hope that’s not the solution.
The energy distribution sector has been riding a wave of security upgrade demands to retrofit their facilities across the U.S.
The energy distribution sector, under nearly constant Advanced Persistent Threat attacks, has been riding a wave of security upgrade demands to retrofit their facilities across the U.S. The potential threat exists for Federal Government facilities as well.
Looking into the federal PACS-compliance crystal ball, we’re beginning to see the faint outline of a multi-faceted campaign of education, budgetary oversight and accreditation of PACS that will ultimately see us past the tipping point. Consider though, at the current rate of PACS enablement, a 50% compliance rate is still far in the future.
When that day arrives, the PIV card form factor may no longer be the key that fits that future lock. (Are you already using a mobile device’s Bluetooth interface to open the door to your office building?) Taking decades to perform a technology upgrade is the aging elephant in the room no one talks about. By the time critical mass is achieved with an upgrade facing these many challenges, there are typically compelling reasons to start over again with the next generation of technology. That cycle may well prove to be the Federal Government’s biggest PACS challenge of all.

As the world continues to become more connected, it’s becoming increasingly important to adjust security and safety procedures in the workplace. But today’s ever-evolving office environment can present unique safety and preparedness challenges.
No two businesses are exactly alike, with some located in numerous buildings or spread out across campuses, while others have employees that frequently journey from different locations, work remotely or travel internationally. With this shifting environment, Rave Mobile Safety’s recent Workplace Safety and Preparedness survey asked over 500 full-time employees in various industries across the United States about their views on safety at work and emergency preparedness.
Preferred safety measures
Only 57 percent of respondents indicated that their workplace currently had preparedness drills in place for critical situationsThe survey looked at how employees and companies respond to various workplace emergencies: workplace violence, active shooter, medical emergency, fire, hazmat incidents, weather events and cyberattacks/system outages. Respondents provided insight on the current state of safety in their workplace, as well as how they want to be contacted when an emergency occurs.
Though opinions on the preferred safety measures differed between generations and also between on-site and offsite workers, one fact remains consistent: there is much to be done to instil a better sense of safety in the workplace. While the findings show that employees feel safe in their workplace, only 57 percent of respondents indicated that their workplace currently had preparedness drills in place for critical situations.
Quick thinking
Of the plans currently in place, excluding fire, 57 percent of the other major emergency plans were rarely or never tested. With so few drills in place, employees are left not knowing the best ways to respond to emergencies like weather events or hazmat incidents or if their employer recommends a certain response to situations like medical emergencies.
Testing these plans is essential so that all employees, whether they are new to the company or not
Even if plans are in place to begin with, not ensuring your employees understand and are comfortable with how to react to certain situations, can put the organisation in harm’s way. Testing these plans is essential so that all employees, whether they are new to the company or not, have the appropriate response top of mind and their actions become second nature during a situation that will likely require quick thinking.
Workplace violence
Instilling regular practices will only further ensure that responses will happen seamlessly, regardless of the emergency. Beyond the general awareness of drills and practices, most surprising in the responses was the fact that 34 percent of female respondents were unaware of workplace violence emergency plans.
This is particularly shocking because workplace violence is the second leading cause of death for women in the workplace, according to the U.S. Bureau of Labour Statistics. This shows an obvious lack of preparedness from organisations. It’s immensely important that employees to understand the relevant dangers of the workplace, especially when alternative could have a fatal result. The differences between baby boomers and millennials in the workplace is a common barometer showing how the workplace is continuing to change.
Emergency plans
Workplace violence is the second leading cause of death for women in the workplace, according to the U.S. Bureau of Labour StatisticsWhat may have worked for previous generations must be reworked and adjusted so every generation is made aware of and understands the plans and procedures in place. These changes can help make workplace safety plans fresh and continuously relevant.
With that in mind, millennials currently represent the largest segment of employees unaware of emergency plans for major workplace emergencies. 38 percent of this age group are unaware of existing emergency plans, compared to just a 28 percent average of employees over the age of 35. This could be associated with the fact that some organisations are not communicating plans with newer employees or even that organisations that employ a significant number of millennials might not have plans in place at all.
Affecting everyday work
If the newest generation is unaware of these plans, then it is only a matter of time before Generation Z enters the workforce and is in even worse position when it comes to emergency awareness.
The survey results showed that on average, workplaces use two methods of communication for emergencies
Feeling safe and secure at work should not be something that workers need to focus on, however more than a quarter of respondents that work remotely said that worrying about safety is exactly what is affecting their everyday work. With that in mind, it’s even more concerning to see that there seems to be a clear divide between current methods and preferred methods of communication during an emergency. The survey results showed that on average, workplaces use two methods of communication for emergencies, with the top two being intercom system announcement/building alarm (27 percent) and email (22 percent).
Mass text messages
At first, these methods seem to cover both remote and in-office employees, but survey results actually showed that both groups preferred and would be better reached during other methods.
While email is the second most common emergency method currently in place by organisations, it actually ranks as the fourth most preferred method at a mere 11 percent. Even with a clear preference towards communication via mass text messages by respondents (39 percent of remote workers prefer this method), less than 20 percent of companies actually take advantage of this technology. This clear disconnect shows that organisations must find what works best for their employees instead of using methods that were previously established or that are just currently being used.
Preparedness plans
What remains important for organisations, regardless of size or industry, is to keep emergency preparedness plans ever evolving
Communication can not only be essential to alert employees to everyday situations, like office closures, but it is also imperative in preventing emergencies to escalate when they do occur. Although this survey discusses the current state of safety in the workplace, it’s that the disconnect between employee perceptions and employer polices that’s the most concerning.
Companies need to take steps to understand how their employees would like to be reached during an emergency, as well as how employees would also like to reach out to management to report their own concerns.
What remains important for organisations, regardless of size or industry, is to keep emergency preparedness plans ever evolving and well communicated, so your employees are confident in the emergency plans in place. By proactively planning and practicing for emergency events through table top exercises and drills, employers can demonstrate their commitment to employee safety and preparedness and build employee confidence.